The present invention relates in general to telecommunications networks, preferably packet radio systems and more particularly, the invention relates to a method and an arrangement for providing legal interception in a mobile packet radio network, such as GPRS.
Mobile communication systems have been developed because there has been a need to allow people to move away from fixed telephone terminals without losing the ability to reach them. While the use of different data transmission services in offices has increased, different data services have also been introduced into mobile communication systems. Portable computers enable efficient data processing everywhere the user moves. As for mobile communication networks, they provide the user with an efficient access network to actual data networks for mobile data transmission. In order to do this, different new data services are designed for existing and future mobile communication networks. Digital mobile communication systems, such as the pan-European mobile communication system GSM (Global System for Mobile Communication), support particularly well mobile data transmission.
General Packet Radio Service (GPRS) is a new service in the GSM system, and it is one the items of the standardisation work of the GSM phase 2+ in ETSI (European Telecommunication Standard Institute). The GPRS operational environment consists of one or more sub-network service areas, which are interconnected by a GPRS backbone network. A sub-network comprises a number of packet data service nodes, which are referred to as GPRS support nodes (or agents) in this context, each packet data service node being connected to a GSM mobile communication network in such a manner that it is capable of providing a packet data service for mobile data terminal equipment via several base stations, i.e. cells. The intermediate mobile communication network provides circuit switched or packet switched data transmission between a support node and mobile data terminal equipment. Different sub-networks are connected to an external data network, such as a public switched packet data network PSPDN. The GPRS service thus produces packet data transmission between mobile data terminal equipment and external data networks, a GSM network acting as an access network. One aspect of the GPRS service network is that it operates almost independently of the GSM network. One of the requirements set for the GPRS service is that it must operate together with external PSPDNs of different types, for instance with Internet or X.25 networks. In other words, the GPRS service and a GSM network should be capable of serving all users, irrespective of which type of data networks they want to register in via the GSM network. This means that the GSM network and the GPRS service have to support and handle different network addressing methods and data packet formats. This handling of data packets also comprises the routing thereof in a packet radio network. In addition, the users should be capable of roaming from a GPRS home network into an external GPRS network. A roaming user may use a PDP (Packet Data Protocol) which is not supported by the visited operator, which, however will should be able to transfer the user data to the home network without understanding the user PDP.
Referring to FIG. 1, a typical scenario for a GPRS network will now be described. It should be understood that the architecture of GPRS systems is not as mature as that of GSM systems. Therefore, all GPRS terms should be interpreted as terms for illustration and not for limitation. A typical mobile station constituting a mobile data terminal equipment consists of a mobile station MS in a mobile communication network, and a portable computer PC connected to the data interface of said mobile station MS. The mobile station MS may be for instance a Nokia 2110, which is manufactured by Nokia Mobile Phones Ltd., Finland. By means of a PCMCIA-type Nokia Cellular Datacard, which is manufactured by Nokia Mobile Phones Ltd., the mobile station can be connected to any portable PC which is provided with a PCMCIA card location. The PCMCIA card thus provides the PC with an access point, which supports the protocol of the telecommunication application used in the PC, for instance CCITT X.25 or Internet Protocol IP. Alternatively, the mobile station may directly provide an access point which supports the protocol used by the application of the PC. Furthermore, it is possible that the mobile station MS and the PC are integrated into one unit within which the application program is provided with an access point supporting the protocol used by it. An example of such a mobile station with an integrated computer is the Nokia Communicator 9000, also manufactured by Nokia Mobile Phones Ltd., Finland.
Network elements BSC and MSC are known from a typical GSM network. The arrangement of FIG. 1 includes a separate support node SGSN (Serving GPRS Support Node) for GPRS service. This support node SGSN controls certain actions of the packet radio service on the network side. Such actions comprise logging on to the system and logging off from the system by the mobile stations MS, routing area updates of the mobile stations MS, and routing of data packets to their proper targets. Within this application, the concept of xe2x80x9cdataxe2x80x9d should be understood broadly to cover any information transferred in a digital communication system. Such information can comprise speech coded into digital form, data transmission between computers, telefax data, short pieces of program code, etc. The SGSN node can be located at a BTS site or at a BSC site or at an MSC site, or it can be located separately from any of these elements. The interface between a SGSN node and the Base Station Controller BSC is called a Gb interface.
The following GPRS/GSM terminology will be used: GTP=GPRS Tunneling Protocol, MM context=Mobility Management Context, DNS=Domain Name Server, HPLMN Home PLMN (Public Land Mobile Network), VPLMN=Visited PLMN, BG=Border Gateway. For convenience, a xe2x80x9ctarget MSxe2x80x9d will be used as a shorthand notation for an xe2x80x9cMS to be interceptedxe2x80x9d. Verbs like xe2x80x9cthinkxe2x80x9d or xe2x80x9cbelievexe2x80x9d in connection with network elements simply mean that this network element sees no difference if a new network element (using the protocols and identifiers of an existing network element) is inserted to the network.
A society must find a balance between protecting the privacy of its citizens and protecting them against crime. Usually this balance is achieved by providing law-enforcement authorities limited access to monitor private communications. A law-enforcement authority (LEA) may e.g. obtain a court order for intercepting a communication line when it is felt that the need to protect the public overrides the need for privacy. Within the context of this application, such interception of a communication line by legally authorised entities will be referred to as xe2x80x9clegal interceptionxe2x80x9d.
This widely accepted principle has many implications within the telecommunications industry. In situations like legal interception, the equipment suppliers and network operators must adapt themselves to two entirely different environments. On the one hand, telecommunication equipment are designed to be used in several networks and countries. The industry itself is largely responsible for making the equipment compatible across the various borders. The development is controlled by laws of economy. On the other hand, the requirements for legal interception may vary abruptly from one country to the next, and they may be changed at will by legal decisions. More specifically, the industry and the network operators face several different problems. They must make sure that only the persons or entities with a valid legal authorisation are able to access the intercepted data. The interception should incur no noticeable changes to the user. For example, a user might be able to detect an added delay and thus detect the interception. One of the pertinent technical problems is that the authorities may not be able to access the home network (HLR and/or GGSN) of a visiting user. Also, it is should be possible to perform the interception using only the data network address of the user or the equipment, such as the IMSI or IMEI. In addition to intercepting the contents of the communication, it should be possible to determine the source and/or the destination of the data packets. In a GPRS network, these problems are aggravated by the fact that GGSN node can be in the user""s home network or in a visited network. In the former case, the user""s data network address is static, whereas in the latter case it is dynamic. Also, different GGSN nodes might be used simultaneously.
Based on the foregoing description, it is an object of the present invention to create a method and suitable network elements (nodes) for providing legal interception in a packet radio network, such as GPRS. The method and the network elements according to the invention should solve as many of the above problems as possible. The object of the invention will be achieved with a method and network elements which are characterized by what is disclosed in the appended independent claims. Advantageous embodiments of the present invention will be presented in the dependent claims.
The invention is based on the vision that legal interception in any one PLMN should be performed from one place only. In other words, any network elements related to legal interception should serve an area which is as large as the laws and regulations allow. The invention is also based on the idea that the technical and legal questions regarding legal interception are of such magnitude and importance that a new and separate network functionality is required.
In general terms, the invention provides a method for intercepting traffic between a first node and a second node of a telecommunications network. A legal interception node (LIN) is installed into the network. In response to an order from a law enforcement authority (LEA). At least some of the traffic to be intercepted is sent to the legal interception node. The legal interception node sends at least some of the traffic sent to it to the law enforcement authority.
The invention is applicable to a mobile packet radio network, such as GPRS. In such a system, the traffic is conveyed in packets comprising a header and a payload part. Some packets relate to location information of terminals (mobile stations) in the network. This location information may be transmitted in the header part or the payload part of the packets. According to a preferred embodiment, the LIN is able to separate the location information from the user data, i.e. understand the protocol(s) used in the network. In response to an order from the LEA, the LIN may send the LEA (1) the user data, (2) the location information, or (3) both.
Since the invention integrates the added functionality into the least possible number of network elements, a flexible method and system for legal interception is provided. The embodiments according to the invention are adaptable to changing technical and legal situations with relative ease. The invention avoids the need to intercept traffic (data and/or signalling) in several different network elements, such as SGSN and GGSN nodes. No unnecessary information related to the identity of a suspected user is given away to third parties, such as other network operators. The invention enables the law enforcement authorities to intercept communications to/from a suspected user either in the user""s home network or his/her visited network. Honest (but suspected) users are not burdened with extra charging and dishonest users can not detect long-term intercepting by means of increased charging. In most situations, the added delays are too small to be detectable.